Dangerous BlackLotus bootkit can be used to hijack Windows 11 PCs

Microsoft Windows 11 running on an Apple MacBook laptop.
(Image credit: rawf8/Shutterstock)

Hackers have developed a bootkit called BlackLotus that’s capable of bypassing the built-in security protections in Windows 11 to install malware and take full control of vulnerable PCs.

First discovered back in October of last year, BlackLotus is a Unified Extensible Firmware Interface (UEFI) firmware rootkit that can be used to create backdoors on Windows machines. Like with other types of malware, it’s sold on the dark web for the initial price of $5,000 with upgrades to new versions costing $200.

What makes BlackLotus and other UEFI bootkits particularly dangerous is the fact that they’re deployed in a Windows PC’s firmware and give hackers full control over how the  operating system boots. According to The Hacker News, this lets hackers disable security mechanisms built into the operating system and deploy payloads with high privileges. 

Now though, a new report from ESET has shed light on BlackLotus’ ability to bypass UEFI Secure Boot on fully updated Windows 11 systems. 

Not just regular malware


(Image credit: solarseven/Shutterstock)

During its investigation into the matter, ESET uncovered six different BlackLotus installers after finding code patterns in samples brought to the cybersecurity firm. This led its researchers to the realization that BlackLotus isn’t just regular malware.

Besides running on systems with UEFI Secure Boot enabled, the bootkit can even disable built-in security mechanisms in Windows including BitLocker, HVCI and even Windows Defender. BlackLotus also leaves a kernel driver and an HTTP downloader on infected systems which allows it to communicate with a command and control (C&C) server to retrieve additional malware.

While updating to the latest version of an operating system can usually keep you protected, this bootkit exploits a vulnerability tracked as CVE-2022-21894 which has already been fixed. However, as vulnerable UEFI binaries still haven’t been revoked, BlackLotus can “stealthily operate on systems with UEFI Secure Boot enabled” according to ESET. 

Should you be worried about BlackLotus?

A hacker typing quickly on a keyboard

(Image credit: Shutterstock)

BlackLotus is certainly dangerous and a threat to the best computers running Windows 11. However, a bootkit that costs $5,000 will likely be used for espionage by nation-state hackers or cybercriminals trying to gather information on their next big target.

Ordinary hackers already have plenty of tools in their arsenal that they use against consumers like malicious apps and phishing emails while BlackLotus will likely be used to target enterprise customers and quite possibly even governments.

Still, if you are concerned, it’s always a good idea to update your computer and especially your browser to make sure you’re running the latest software. Likewise, the best antivirus software can help keep you protected from a majority of cyber threats while the best identity theft protection can help you recover from having your identity stolen and any financial losses you may have suffered as a result.

Microsoft and PC makers are well aware of the threat that a bootkit like BlackLotus can do which is why the vulnerable UEFI binaries it exploits will likely be revoked soon.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.